[issue17016] _sre: avoid relying on pointer overflow

2013-03-11 Thread Nickolai Zeldovich 

Nickolai Zeldovich added the comment:

I just submitted the contributor form -- thanks for the reminder.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17016
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17016] _sre: avoid relying on pointer overflow

2013-03-11 Thread Nickolai Zeldovich 

Nickolai Zeldovich added the comment:

I get an HTTP error when trying to upload another patch through Rietveld, so 
here's a revised patch that avoids the need for Py_uintptr_t (thanks Serhiy).

--
Added file: http://bugs.python.org/file29379/pp-3.patch

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17016
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17016] _sre: avoid relying on pointer overflow

2013-03-10 Thread Nickolai Zeldovich 

Nickolai Zeldovich added the comment:

Sorry for the delay.  Attached is an updated patch that should fix all of the 
issues mentioned in this bug report.

--
Added file: http://bugs.python.org/file29368/pp-2.patch

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17016
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17016] _sre: avoid relying on pointer overflow

2013-01-23 Thread Nickolai Zeldovich 

Nickolai Zeldovich added the comment:

Lines 2777 and 3111 do indeed look suspect, because gcc can compile (ptr + 
offset  ptr) into (offset  0):

nickolai@sahara:/tmp$ cat x.c 
void bar();

void
foo(char* ptr, int offset)
{
  if (ptr + offset  ptr)
bar();
}
nickolai@sahara:/tmp$ gcc x.c -S -o - -O2
...
foo:
.LFB0:
.cfi_startproc
testl   %esi, %esi
js  .L4
rep
ret
.p2align 4,,10
.p2align 3
.L4:
xorl%eax, %eax
jmp bar
.cfi_endproc
...
nickolai@sahara:/tmp$ 

Lines 658, 678, 1000, 1084 are potentially problematic -- I don't know of 
current compilers that will do something unexpected, but it might be worth 
rewriting the code to avoid undefined behavior anyway.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17016
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17016] _sre: avoid relying on pointer overflow

2013-01-23 Thread Nickolai Zeldovich 

Nickolai Zeldovich added the comment:

For an unsigned int offset, see my original bug report: gcc eliminates the 
check altogether, since offset = 0 by definition.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17016
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17016] _sre: avoid relying on pointer overflow

2013-01-22 Thread Nickolai Zeldovich 

New submission from Nickolai Zeldovich:

Modules/_sre.c relies on pointer overflow in 5 places to check that the 
supplied offset does not cause wraparound when added to a base pointer; e.g.:

SRE_CODE prefix_len;
GET_ARG; prefix_len = arg;
GET_ARG;
/* Here comes the prefix string */
if (code+prefix_len  code || code+prefix_len  newcode)
FAIL;

however, pointer wraparound is undefined behavior in C, and gcc will optimize 
away (code+prefix_len  code) to (true), since prefix_len is an unsigned value. 
 This will happen with -O2 and even with -fwrapv:

nickolai@sahara:/tmp$ cat x.c
void bar();

void
foo(int *p, unsigned int x)
{
  if (p + x  p)
bar();
}
nickolai@sahara:/tmp$ gcc x.c -S -o - -O2 -fwrapv
...
foo:
.LFB0:
.cfi_startproc
rep
ret
.cfi_endproc
...
nickolai@sahara:/tmp$ 

On a 32-bit platform with the development version of cpython, prefix_len seems 
to end up being an 'unsigned int', so I suspect that supplying a large 
prefix_len value (perhaps 0x) could lead to the subsequent loop writing 
garbage all over memory, or worse (but I have not tried to construct a concrete 
input that triggers this bug, so maybe there are some checks that make it 
difficult to trigger the bug).

In any case, this might be worth fixing -- the attached patch provides one 
proposed fix.  Another option might be to add -fno-strict-overflow to the gcc 
flags, which may be a reasonable additional measure to take, to avoid such 
problems biting Python in the future, but I would suggest doing this in 
addition to fixing the code (since not all compilers support such a flag to 
disable certain optimizations).

--
components: None
files: pp.patch
keywords: patch
messages: 180403
nosy: Nickolai.Zeldovich
priority: normal
severity: normal
status: open
title: _sre: avoid relying on pointer overflow
type: security
versions: Python 3.5
Added file: http://bugs.python.org/file28804/pp.patch

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17016
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com